It’s DNS Jim, but not as we know it! - RIPE 77 · RIPE 77 It’s DNS Jim, but not as we know it!...

RIPE 77 It’s DNS Jim, but not as we know it!

It’s DNS Jim, but not as we know it!

Sara Dickinson [email protected] sinodun.com

@SinodunCom

mailto:[email protected]

http://sinodun.com

https://twitter.com/SinodunCom


What this talk will cover

• New IETF standards: Encrypted transports for DNS (TLS & HTTPS)

• Deployment Status: Clients and resolver services for encrypted DNS

• DNS resolution directly from applications: Browsers • DNS resolution to third party providers: Implications for operators

2

Stub to recursive

Overview: Summarise the most recent evolutions in how end-device DNS resolution is being done (~past 5 years)


My Background• Co-founder of Sinodun IT - small UK based consultancy

• Focussed on DNS, DNSSEC and DNS Privacy • R&D, Open source dev, Standards dev

• DNS-over-TLS: involved in standards dev, implementation and deployment (we contribute to dnsprivacy.org).

• DNS-over-HTTPS: Not directly involved, no links to browser vendors

3

https://www.sinodun.com/

http://dnsprivacy.org


My Background• Co-founder of Sinodun IT - small UK based consultancy

• Focussed on DNS, DNSSEC and DNS Privacy • R&D, Open source dev, Standards dev

• DNS-over-TLS: involved in standards dev, implementation and deployment (we contribute to dnsprivacy.org).

• DNS-over-HTTPS: Not directly involved, no links to browser vendors

3

Goal today is to bring awareness to this audience of fast moving changes: The good, the bad and the ugly….

https://www.sinodun.com/



The DNS is showing its age

• Nov 1987 - RFC1034 and RFC1035 published!

4

1987

2018

No Security or Privacy in the original design!

https://tools.ietf.org/html/rfc1034



DNS-over-TLS (DoT)

5

1987 20182012

2013 2016

Snowdon Revelations

RFC7258: Pervasive Monitoring

is an attackDPRIVE WG

formed

2014

Goals: 1) Encrypt Stub-Rec DNS 2) Think about Rec-Auth?


https://datatracker.ietf.org/wg/dprive/charter/


DNS-over-TLS (DoT)

5

1987 20182012

2013 2016

Snowdon Revelations

RFC7258: Pervasive Monitoring

is an attackDPRIVE WG

formed

RFC7858: DNS-over-TLS

2014

RFC7766: DNS-over-TCP

Goals: 1) Encrypt Stub-Rec DNS 2) Think about Rec-Auth?

Port 853


https://datatracker.ietf.org/wg/dprive/charter/

https://datatracker.ietf.org/doc/rfc7858

https://datatracker.ietf.org/doc/rfc7766


DNS-over-TLS (DoT) Status

6

Date Event

2015 - 2018

Implementations:

Clients: Android Pie, systemd, Stubby Servers: Unbound, Knot resolver, dnsdist, (BIND)

2015 - now Set of 20 test DoT servers

Nov 2017 Quad9 (9.9.9.9) offer DoT

Mar 2018 Cloudflare launch 1.1.1.1 with DoT

https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients


https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers



6

Date Event

2015 - 2018

Implementations:





System stub resolvers: Need native Windows & macOS/iOS support






6

Date Event

2015 - 2018

Implementations:





System stub resolvers: Need native Windows & macOS/iOS support

Easy to run a DoT server





Encrypted DNS: the good…

• Defeats passive surveillance

• Server authentication if a name is manually configured(PKIX or DANE - RFC8310) • Prevents redirects, can’t intercept DNS queries • Increases ‘trust’ in service (DNSSEC, filtering…)

• Data integrity of transport - can’t inject spoofed responses

7







7

Opportunistic DoT: just need IP address (Android Pie default)







7

Opportunistic DoT: just need IP address (Android Pie default)

Strict DoT: need a name too



Encrypted DNS: the bad & ugly…

• SNI still leaks (but not for long! draft-rescorla-tls-esni) • A dedicated port (853) can be blocked (443 fallback) • Resolver still sees all the traffic (who do you ‘trust’?)

• If using a resolver NOT on the local network (not available) • Breaks Split horizon DNS (fallback possible),

leaks internal names. Similar to e.g. using 8.8.8.8 but….

8

https://datatracker.ietf.org/doc/draft-rescorla-tls-esni/






8

Encrypted traffic bypasses local monitoring & security policies







8

Encrypted traffic bypasses local monitoring & security policies

For DoT, seen as short term or rare…


RIPE 77 It’s DNS Jim, but not as we know it! 9

RIPE 77 It’s DNS Jim, but not as we know it! 9

…..to their own chosen cloud resolver service!


DNS-over-HTTPS (DoH)

10

1987Aug2018

May2017

Oct2017

DoH WGformed

Sep2017

DoH draft adopted

Goals: “This working group will standardize encodings for DNS queries and responses that are suitable for use in HTTPS. ”

First DoH draft published(query init)

March2017

IETF 98 Jul2017

https://datatracker.ietf.org/wg/doh/charter/

https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https/




10

1987Aug2018

May2017

Oct2017

DoH WGformed

Submitted to IESG

Sep2017

DoH draft adopted



March2017

IETF 98 Jul2017

Approved






10

1987Aug2018

May2017

Oct2017

DoH WGformed

Submitted to IESG

Sep2017

DoH draft adopted



March2017

IETF 98 Jul2017

Approved

FAST!





How is DoH different to DoT?• A Use case (of many): “allowing web applications to access DNS

information via existing browser APIs”

• Discovery - MUST use a URI template (not IP address)

• Two models: • Dedicated connections (only DoH traffic) - hard to block • Mixed connections (send DoH on existing HTTPS connections)

• Better privacy? Not leaking queries

• Increased tracking: HTTP headers allow tracking of query via e.g. ‘User-agent’ (application), language, etc.

11

Specification differences








11

No ‘Opportunistic’









11



Impossible to block JUST DNS traffic








11



New privacy concerns

Impossible to block JUST DNS traffic


DoH Status

12

Standalone Large Scale

Servers • ~10 other test servers• Cloudflare (https://cloudflare-dns.com/dns-query) • Google (https://dns.google.com/experimental) • Quad9 (https://dns*.quad9.net/dns-query)

• 3 flavours of service

https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers

https://developers.cloudflare.com/1.1.1.1/dns-over-https/

https://dns.google.com/experimental

https://www.quad9.net/doh-quad9-dns-servers/


Client Servers

Implementations

• Firefox config option • Chrome/Bromite

• Android ‘Intra’ App • Cloudflared • Stubby (next release)

• Various experimental

• dnsdist (WIP)• Knot resolver (patches) • Various experimental

DoH Status

12



• 3 flavours of service








Client Servers

Implementations

• Firefox config option • Chrome/Bromite

• Android ‘Intra’ App • Cloudflared • Stubby (next release)

• Various experimental

• dnsdist (WIP)• Knot resolver (patches) • Various experimental

DoH Status

12



• 3 flavours of service “Moziflare”








DNS in Browsers• Some already have their own DNS stub (e.g. Chrome) • Some already use encrypted DNS (Yandex, Tenta)

• Firefox had DoH since 61, not enabled by default• Firefox experiment being performed….

• Chrome has a DoH implementation (not exposed, not advertised) • Recent a PR to add config option • And Google has a handy recursive resolver service in 8.8.8.8…

13

Dedicated DoH connections

https://browser.yandex.com/

https://tenta.com/

https://chromium-review.googlesource.com/c/chromium/src/+/1194946


DNS in Browsers• Some already have their own DNS stub (e.g. Chrome) • Some already use encrypted DNS (Yandex, Tenta)

• Firefox had DoH since 61, not enabled by default• Firefox experiment being performed….

• Chrome has a DoH implementation (not exposed, not advertised) • Recent a PR to add config option • And Google has a handy recursive resolver service in 8.8.8.8…

13


Browser vendors control the client and update frequently.

https://browser.yandex.com/

https://tenta.com/

https://chromium-review.googlesource.com/c/chromium/src/+/1194946


DoH in Browsers• Why encrypt directly from the browser? Browser folks say:

• Why DoH, not DoT? Mozilla’s answer:

14

https://bitsup.blogspot.com/2018/05/the-benefits-of-https-for-dns.html




14

Selling point: “we care about the privacy of our users”

OS’s are slow to offer new DNS features (DoT/DoH)

Performance: “reduce latency within browser”





14




Integration: “leverage the HTTPS ecosystem”

HTTPS everywhere: “it works… just use port 443, mix traffic”

Cool stuff: “JSON, Server Push, ‘Resolverless DNS’….”





14




Integration: “leverage the HTTPS ecosystem”

HTTPS everywhere: “it works… just use port 443, mix traffic”

Cool stuff: “JSON, Server Push, ‘Resolverless DNS’….” DNS 2.0?



DoH in Firefox• Mozilla blogs:

• Experiment & Future plans (May 2018):

15


https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/




15


• “We’d like to turn this [DoH] on as the default for all of our users”• “Cloudflare is our ‘Trusted Recursive Resolver’ (TRR)”





15


• “We’d like to turn this [DoH] on as the default for all of our users”• “Cloudflare is our ‘Trusted Recursive Resolver’ (TRR)”

“With this [agreement], we have a resolver that we can trust to protect users’ privacy. This means Firefox can ignore the resolver that the network

provides and just go straight to Cloudflare.”




• Firefox Nightly ‘Experiment’ (June) & Experiment results (Aug) • Half of users opted-in: Send all DNS queries to system resolver

AND to Cloudflare, compare the results. • “Initial experiment focused on validating:

• Another experiment in Firefox Beta announced…(Sept)

16


https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/

https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results/

https://blog.mozilla.org/futurereleases/2018/09/13/dns-over-https-doh-testing-on-beta/






16


1. Does the use of a cloud DNS service perform well enough to replace traditional DNS?”









16


RESULTS: 6ms performance overhead is acceptable “We’re committed long term to building a larger ecosystem of trusted

DoH providers that live up to a high standard of data handling.”

1. Does the use of a cloud DNS service perform well enough to replace traditional DNS?”





“Trusted recursive resolver”• Tweet from Mozilla developer: “We haven't announced what that config

will be or when it will be deployed (because we're still working on on it :)).” • DNS community is in limbo waiting for this decision!

17

https://twitter.com/mcmanusducksong/status/1034457726775189504




17

Impact of TRRs? Applications using default TRRs fundamentally change the existing implicit consent model for DNS:

• (Current) Log onto a network and use the DHCP provided resolver • (New?) Use an app and agree to app T&C’s (including DNS?)





17

Impact of TRRs? Applications using default TRRs fundamentally change the existing implicit consent model for DNS:

• (Current) Log onto a network and use the DHCP provided resolver • (New?) Use an app and agree to app T&C’s (including DNS?)

Potential centralisation of DNS resolution to a few providers?



Reactions are mixed…

18


Reactions are mixed…

18

Soon, DoH+TRR in this browser will be fully

operational!


Reactions?• Ban/Block/Intercept Moziflare - ‘My network, my rules’

• Operators need visibility (TLS 1.3 deja vu) • Is it even legal?

• Threat model analysis needed: • TRR useful but only in untrusted networks? • Users need choice (US lack of net neutrality vs EU GDPR) • Government regulation of TRRs, monetary incentives for apps?

• Analysis of third party DNS by PowerDNS • Neutrality of DNS operators (CDN’s?) • Legislation for blocking/filtering/interception?

19

EPIC thread on DNSOP

https://blog.powerdns.com/2018/09/04/on-firefox-moving-dns-to-a-third-party/

https://www.ietf.org/mail-archive/web/dnsop/current/msg23807.html



Reactions?• Ban/Block/Intercept Moziflare - ‘My network, my rules’

• Operators need visibility (TLS 1.3 deja vu) • Is it even legal?

• Threat model analysis needed: • TRR useful but only in untrusted networks? • Users need choice (US lack of net neutrality vs EU GDPR) • Government regulation of TRRs, monetary incentives for apps?

• Analysis of third party DNS by PowerDNS • Neutrality of DNS operators (CDN’s?) • Legislation for blocking/filtering/interception?

19

EPIC thread on DNSOP

Lots of questions…

https://blog.powerdns.com/2018/09/04/on-firefox-moving-dns-to-a-third-party/




Managing many devices in enterprises

• What are Chrome, Safari, IE/Edge plans?

• What if other apps also do their own DoH/DoT?

• Loss of central point of config on an end device?• Loss of network settings as the default • DNS no longer part of the device infrastructure?

20


What to do?• Think about running a DoT server in your network: for system level

resolvers e.g. Android, Stubby, systemd it is the right thing!

• Think about running a DoH server in your network: gives users the option to use that, centralisation of DNS to a few players is a bad thing!

• Watch this space and spread the word! Work in progress: • DoH discovery mechanism & Best Current Practices • More detailed DNS-OARC talk • dnsprivacy.org website & twitter

21

https://datatracker.ietf.org/doc/draft-hoffman-resolver-associated-doh/

https://datatracker.ietf.org/doc/draft-dickinson-dprive-bcp-op/

https://indico.dns-oarc.net/event/29/contributions/649/


https://twitter.com/DNSPrivacyProj


What to do?• Think about running a DoT server in your network: for system level

resolvers e.g. Android, Stubby, systemd it is the right thing!

• Think about running a DoH server in your network: gives users the option to use that, centralisation of DNS to a few players is a bad thing!

• Watch this space and spread the word! Work in progress: • DoH discovery mechanism & Best Current Practices • More detailed DNS-OARC talk • dnsprivacy.org website & twitter

21

Stay tuned….

https://datatracker.ietf.org/doc/draft-hoffman-resolver-associated-doh/

https://datatracker.ietf.org/doc/draft-dickinson-dprive-bcp-op/

https://indico.dns-oarc.net/event/29/contributions/649/


https://twitter.com/DNSPrivacyProj

Thank you!

It’s DNS Jim, but not as we know it! - RIPE 77 · RIPE 77 It’s DNS Jim, but not as we know it!...

Documents

Transcript of It’s DNS Jim, but not as we know it! - RIPE 77 · RIPE 77 It’s DNS Jim, but not as we know it!...